Dark Web Monitoring for Businesses: Why It Matters

/in , , /by

Most cyber attacks make the news only after the work is done. The intrusion that ends up in the press is typically the final stage of a chain that began months earlier, with a username and password listed for sale on a criminal forum. Verizon’s 2025 Data Breach Investigations Report found that 22% of breaches begin with stolen credentials, and 88% of attacks against basic web applications involve them. The November 2025 cyber attack on three London councils, where shared IT systems between Kensington and Chelsea, Westminster, and Hammersmith and Fulham allowed disruptions to spread across boroughs, is the public version of something that happens to far smaller organisations every week.

Where stolen credentials end up

Specific software is necessary to access the dark web, a layer of the internet that Google or Bing does not index. It hosts criminal marketplaces, forums, and data dumps where stolen login details change hands. Credentials get there through a handful of routes: phishing emails, infostealer malware that scrapes passwords from infected machines, and large-scale breaches at third parties whose users reused the same password elsewhere. Verizon’s report found that 54% of ransomware victims had credentials appear in infostealer logs before the attack itself was carried out, which shows how often the underground sale precedes visible damage.

Stolen credentials don’t expire on their own

A leaked password rarely gets used the same day it’s harvested. It enters circulation; gets traded; is often sold in bulk; and may go through several hands before anyone tries it against a live system. IBM’s 2025 Cost of a Data Breach Report puts the global mean time to identify and contain a breach at 241 days, the lowest figure in nine years but still over eight months. Staff details can sit on a criminal forum for the better part of a year before any sign of misuse appears in the environment they came from.

The bundle that comes with a stolen password

A credential set rarely surfaces in isolation. The accompanying records can include date of birth, home address, National Insurance number, mobile number, and previous passwords used by the same individual. Verizon’s analysis of breached databases found that email addresses appeared in 61%, phone numbers in 39%, and government-issued IDs in 22%. Together they make identity theft, business email compromise, and tailored phishing far simpler to pull off, particularly when an attacker can match a personal address to a corporate login.

Why smaller businesses get hit

Headline coverage tends to follow large enterprises, but the UK government’s Cyber Security Breaches Survey 2025/2026 estimates that around 612,000 UK businesses identified a cyber breach or attack in the last 12 months. Smaller organisations are appealing to attackers because they hold fewer dedicated security staff, less mature monitoring, and accounts that often unlock access to clients, suppliers, and partners further up the chain. Many SMEs hold the keys to far larger client and supplier networks, whether it’s an accountancy firm with shared portals for its clients, a managing agent with access to dozens of landlords, or a marketing consultancy with admin rights on a customer’s website. One compromised credential at the smaller end can give an attacker access to the larger one.

What dark web monitoring does

Dark web monitoring for businesses scans the criminal forums, paste sites, marketplaces, botnets, and chat groups where stolen credentials surface. Credential monitoring for UK businesses tracks specific identifiers, usually company email domains, and flags any time a match appears in a known dump or fresh listing. The output is timely intelligence on which of your accounts have been exposed, when, and in what context, which lets the response be precise rather than speculative. Done properly, this is continuous. Criminal forums refresh constantly, and a credential clean from six months ago may show up this week. It sits naturally alongside the day-to-day work of proactive IT support, where the goal is to address potential issues before they cause real damage.

Knowing earlier changes what you can do

When a match comes back, the response is straightforward and time-sensitive. Reset the password on the affected account, force the same on any system where that password may have been reused, check for unusual logins, enable multi-factor authentication if it’s not already in place, and brief the staff member involved on what was exposed. None of these steps are complex, but they only work if someone has told you the credential is out there. Without monitoring, the alert tends to come from a bank, a customer, or a regulator, by which point options have narrowed considerably. Credential monitoring works best as one layer in a defence-in-depth approach, sitting alongside managed anti-virus, patching discipline, and staff awareness.

The pattern across recent UK incidents is consistent. The intrusion that surfaces in headlines began, weeks or months earlier, as a line on a forum no one was watching. Knowing what’s already been exposed is one of the few defensive moves that doesn’t rely on guessing what an attacker will do next.

4TC’s Dark Web ID monitoring watches the darkest corners of the web so you don’t have to. Speak to the team today to find out if your credentials are already exposed.

Cyber Attack on London Councils: What Businesses Must Know

/in , /by

On 24 November 2025, IT systems across three central London boroughs went dark.

The Royal Borough of Kensington and Chelsea, Westminster City Council, and the London Borough of Hammersmith and Fulham were all taken offline in what investigators treated as a coordinated cyber incident, with the National Crime Agency, the Metropolitan Police, and the National Cyber Security Centre all subsequently involved. Kensington and Chelsea later confirmed that attackers had copied and exfiltrated historical data from its systems. The three councils share parts of their IT infrastructure, and that shared architecture is precisely what made a single compromise so consequential.

For London businesses, a cyber attack on this scale should make you think: if three neighbouring councils sharing IT can be brought down by a single compromise, what would a similar event do to your operation?

Shared infrastructure, shared exposure

The logic of shared IT services is sound on paper. Pooling resources across organisations reduces costs, avoids duplication, and often improves the quality of systems that no single entity could afford alone. Plenty of other organisations, from NHS trusts to private businesses, operate on the same principle, and so do most SMEs, albeit in a different form. Whether you rely on a cloud platform, a managed IT provider, or a suite of SaaS tools, your digital environment is connected to other organisations’ environments in ways that are not always visible.

The councils’ experience illustrates what happens when a shared system is compromised at a point that sits upstream of multiple tenants. One vulnerability, one set of stolen credentials, one unpatched entry point, and the blast radius extends to every organisation drawing on the same infrastructure. Hammersmith and Fulham had its public-facing services suspended even though investigators found no direct evidence its own systems had been breached. Proximity to a shared service was enough to force significant disruption.

The lesson isn’t that shared services are inherently unsafe, but that the junctions where dependencies converge need proportionate security controls. If you don’t know where those junctions sit in your own environment, you can’t defend them.

The SME picture

The UK Government’s Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber security breach or attack in the preceding year. For large businesses the figure was considerably higher, at 74%. IT security in London has historically been framed as an enterprise concern, but the economics of automated attack tooling have closed that gap. Those tools probe for weaknesses across thousands of targets simultaneously, and a small business using the same cloud platform or managed service as a larger target can find itself caught in the same sweep.

Most London SMEs are, in practice, running a version of the shared-services model: cloud-hosted email, third-party CRM, outsourced IT support, and shared accounting platforms. Every one of those connections is a potential entry point. The council’s incident is unusual in scale, but the underlying mechanics are not: one compromised account, one exploited system, cascading disruption. The same pattern plays out against businesses of every size.

Organisations that contain these incidents quickly almost always have one thing in common: visibility before the attack gets underway, rather than defences only at the point of impact.

The window before the breach

A common misconception is that cyber incidents begin the moment attackers enter a network. Instead, they begin weeks or months earlier, when credentials are stolen, traded, and eventually used. According to IBM’s 2024 Cost of a Data Breach Report, breaches involving compromised credentials took the longest of any attack vector to identify and contain, at nearly ten months. That is a significant window during which stolen credentials may be circulating on dark web forums before anyone inside the affected organisation is aware.

The attack on the councils almost certainly followed a similar pattern. Ransomware and data exfiltration events of this scale do not typically happen spontaneously. Attackers gather information, test access, and move deliberately. The starting point is almost always stolen credentials: an employee’s login, a service account password, or an email address paired with a reused password from an older breach.

Dark web monitoring addresses that gap. Rather than waiting for a breach to become visible inside your own systems, it scans the forums, marketplaces, and encrypted channels where stolen credentials are bought and sold and raises an alert when your organisation’s data appears. The window between a credential being stolen and it being used is often the only opportunity to invalidate it before it causes damage. Most London businesses are not watching that window at all.

4TC’s Digital ID service monitors the dark web continuously for email credentials and other company data associated with your domain. If your team’s logins surface in a breach dump or credential marketplace, you will know about it before an attacker uses them to gain access to your systems. It complements broader security measures such as managed anti-virus, fully managed IT support, and cloud backup.

A practical takeaway

The attack on the councils made headlines because it hit recognisable names in a concentrated area. The same dynamics are at work across businesses of every size: shared dependencies, credential-based entry points, and long detection windows that give attackers time to move. The councils had the NCA, NCSC, and specialist incident responders from NCC Group called in. Most SMEs do not have that infrastructure to fall back on.

Business continuity in a cyber attack scenario often comes down to how quickly the first indicators are spotted. Credentials circulating on the dark web are one of the earliest. The more practical response is to reduce the window in which an attacker can operate undetected, and that starts with knowing whether your credentials are already out there.

Find out how 4TC’s dark web monitoring can give your business an early warning against credential theft. Get in touch with the team today.